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(57) Abstract 

A method and apparatus for analyzing multiple computer network vulnerabilities, capable of gathering vulnerability data from one 
or more hosts (15) within the network and generating a directed graph from the gathered vulnerability data. Nodes in the graph represent 
vulnerabilities within the network. Paths between nodes are edges, and represent probability values associated with moving from one 
vulnerability to another. 
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APPARATUS AND METHODS FOR 
ANALYZING OTJI-TIPtiE NETWORK SECURITY VULNERABILITIES 



TECHNICAL FIELD 

This invention relates generally to computer data 
networks and, specifically, to a network vulnerability 
analysis tool. 

BACKGROUND OF THE INVENTION 

As the world transitions to more standardized 
digital communications driven by the various international 
standards organizations, and as interoperability becomes the 
norm for both communication networks and processing systems, 
information systems have and will become the targets for 
penetration, deception, and/or destruction by adversaries. 
Absent a constant vigilance and administration, any secure 
system will become more vulnerable over time. This is due to 
both internal and external sources. Internally, as access 
privileges are granted to new users or increased to existing 
users (including unauthorized access) , the security profile 
of the system changes, usually for the worse. Client/server 
architectures, remote access, and trusted networks exacerbate 
the problem. 
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Externally, as the profile of the network becomes 
more familiar to an intruder and as penetration methods become 
more sophisticated, the system becomes less secure. 

In the beginning of computer security, when there 
5 was little or no network connectivity, most of the attention 
was drawn towards insider threats and internal computer 
misuse. For instance, a user is granted a particular set of 
privileges and abuses it by accessing unauthorized files or 
modifying data for his or her own purpose. 
10 During the 1980s and 1990s, as the Internet grew at 

an astronomical rate - from under 2,000 hosts in October 1985 
to currently over 18 million hosts - firewalls drew a lot of 
attention. Firewalls allow companies and other entities to 
have partial connection to the Internet, while retaining some 
15 amount of physical isolation. Corporations were quick to 
create gateways from their internal networks to the Internet 
and used firewalls to protect their security. 

Now, it appears that the focus is once again on 
internal threats . Many corporate intranets are now larger than 
50 the entire Internet was in the mid-1980s. With trusted hosts 
providing connectivity between different business units and 
corporate partners, companies now have a number of machines 
that are effectively behind the corporate firewall. Managing 
the complexities of connectivity between all of these hosts 
15 forces system administrators to view firewalls as only a 
complement to other security measures. 

A system administrator has ' a number of powerful 
security and audit tools available to deal with the 
aforementioned problems. Many of these tools are freely 
0 available. Two major classes of system security tools that 
address the issue of internal threats and system integrity are 
1) vulnerability assessment systems, and 2) intrusion 
detection systems. The former is proactive; it looks for 
potential system vulnerabilities. The latter is reactive; it 
5 attempts to detect that an attack or intrusion has occurred. 

The present invention relates to a vulnerability 
assessment system, of which two types are now known to exist: 
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1) Single system, internal privileged assessment using 
software packages running on a single system with superuser 
privileges . One example of such a system is Computer Oracle 
and Password System (COPS) , a UNIX security status checker 
5 which can be retrieved via anonymous File Transfer Protocol 
(FTP) from cert.org in - /pub/ tools/cops ; and 2) Distributed, 
external, non-privileged assessment packages that can scan 
several systems for weaknesses . An example of such a package 
is the Security Administrator Tool for Analyzing Networks 
10 (SATAN) . SATAN recognizes several common networking- related 
security problems, and reports the problems without actually 
exploiting them. 

In general, these packages are difficult to use, and 
hard to maintain. Because databases may not be updated as new 
15 information is acquired, it is difficult to keep the checks 
up-to-date. A person must walk from system to system with a 
floppy disk to check the security of each system. Even so, it 
is difficult to know if all of the checks are being performed 
properly. This is because checks are often hidden deep inside 
20 scripts that do not have any obvious relationship to the files 
being exercised. To learn what list of checks is being 
performed requires examining the source code in detail . Such 
an examination is burdensome and time consuming. 

Another problem is the lack of a clear security 
25 policy. System Administrators typically leave the checking 
programs alone, or else run all of the tests, and then remove 
the tests that cause problems. There is no clear definition 
of policy for the system, and no clear relationship between 
the policy, the tests performed, and the tests igpnored. 
30 Therefore, it is difficult to know if a system is vulnerable, 
cuid how a particular feature relates to the vulnerability. 

A third flaw in the architecture of these systems 
is the lack of a clear hierarchy of features in each system. 
Currently, code is written for a single platform, and when 
35 other platforms are added, the code is modified with branch 
conditions for each architecture- This makes the code hard to 
follow, and makes it hard to know what check is being 
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performed. 

Standard vulnerability assessment techniques are 
suitaUale for finding major security problems and may help 
protect a system from a brute force attack- However, they 
offer no defense against a hacker using a series of techniques 
to gain access to a system through a series of weaknesses- It 
is possible for a hacker to use a series of techniques to gain 
access to a system through a series of weaknesses of least 
privilege . 

What is needed, then, is a vulnerability assessment 
tool that can diagnose and analyze multiple security 
vulnerabilities of a computer data network and the manner in 
which security safeguards strengthen those weaknesses, and can 
provide an easily understood display (both in 2- and 3- 
dimensions) of the network and its vulnerabilities. 

SUMMARY OF THE INVENTION 

The present invention broadly comprises apparatus 
and methods for analyzing multiple computer network 
vulnerabilities, coTT5)rising gathering vulnerability data from 
one or more hosts within the network; and, generating a 
directed graph from the gathered vulnerability data where 
nodes in the directed graph represent vulnerabilities within 
the network. Paths between nodes are defined as edges, and the 
edges represent probability values associated with moving from 
one vulnerability to another. The invention also includes two 
separate methods of analysis: a probabilistic approach and a 
maximum flow approach, both accomplished by computer software 
implementation of algorithms. The invention displays the 
results of the analysis in a number of ways, and is capable 
of displaying a topological display of the computer network 
vulnerabilities - 

These and other objects, features and advantages of 
the invention will become readily apparent to those having 
ordinary skill in the art upon a reading of the detailed 
description of preferred embodiments and the appended claims 
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BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a representative software architecture 
that can be used in association with the present invention. 
. 5 Figure 2 is a representative common Application 

Program Interface (API) and integration module that can be 
used in association with the present invention. 

Figure 3 illustrates a Central Assessment System 
(CAS) and agent dialogue in a representative secure 
10 communications protocol that can be used in association with 
the present invention. 

Figure 4 illustrates a representative secure 
communications protocol that can be used in association with 
the present invention. 
15 Figure 5 is a network vulnerability assessment 

graph . 

Figure 6 is an example vulnerability graph 
illustrating about 2,000 vulnerabilities found on a few nodes 
of a network thought to be reasonably secure- 
20 Figure 7 is an example vulnerability graph generated 

by the invention. 

Figure 8 is a maximum flow result graph of a 

network. 

Figure 9 illustrates data grouped by attack paths. 
25 Figure 10 illustrates more detailed data about 

attack vectors . 

Figure 11 quantifies the attack paths shown in 

Figure 4 . 

Figure 12 is an example of security safeguard 
3 0 allocation. 

Figure 13 graphs the effect on vulnerability of 
security safe-guard allocation. 

Figure 14 is an example of an attack in progress. 

Figure 15 graphs the probability of monitoring an 
35 attack during its occurrence. 

Figure 16 is a three-dimensional display showing the 
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probability of monitoring an attack during its occurrence 
given multiple independent detection systems. 

Figure 17 shows the startup button of the software 
program of the invention. 
5 Figure 18 illustrates the start-up screen of the 

software program of the invention. 

Figure 19 illustrates the GML Open Window. 

Figure 20 illustrates an example vulnercO^ility 

chain . 

10 Figure 21 illustrates a vulnerability analysis 

probabilistic result for the chain illustrated in Figure 19. 

Figure 22 illustrates a screen capture of a 
vulnerability analysis graph result. 

Figure 2 3 illustrates a vulnerability analysis 
15 maximum flow result. 

Figure 24 illustrates a vulnerability analysis graph 
maximum flow result - 

Figure 25 is an illustration of articulation points 
of the graph shown in Figure 24 . 
20 Figure 26 is an alternative tree down depiction of 

the graph node positions, showing the attacker as the root. 

Figure 27 illustrates a vulnerability graph before 
nodes have been grouped . 

Figure 2 8 is a screen capture similar to that shown 
25 in Figure 27, but taken after the nodes have been grouped. 

Figure 2 9 illustrates the group control window of 
the invention. ...... 

Figure 3 0 illustrates how to add a new node to a 
vulnerability graph to facilitate analysis of a "what if" 
0 scenario. 

Figure 31 is a screen capture of a window used to 
change a node label. 

Figure 32 is a screen capture of a window used to 
modify an edge . 

35 Figure 33 is a screen capture of the resulting graph 

after a node and edge have been added. 

Figure 34 illustrates the textual result of a 
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probabilistic analysis run on the modified graph of Figure 33- 
Figure 35 illustrates the graphical result of a 

probabilistic analysis r\m on the modified graph of Figure 33. 

Figure 36 is a representative topological map of 

vulnerabilities in a network created by the invention. 



DETAILED DESCRIPTION OP THE PREFERRED EMBODIMENTS 

A system 100 for analyzing multiple computer. network 
vulnerabilities in a computer network comprising a security 
computer and a plurality of host computers 15 is illustrated 
in Figure 1, According to the embodiment shown in Figure 1, 
a Central Assessment System (CAS) 10 resides on security 
con5)uter 50- CAS 10 is in communication with a plurality of 
software agent sets 16. Each software agent set 16 resides on 
a respective host computer 15. 

Each software agent set 15 includes an unprivileged 
agent 17 and a super agent 19. Unprivileged agent 17 is 
configured to communicate with CAS 10 via BSD socket 
connections. Super agent 19 is configured as a proxy server 
and as such, is accorded root privileges and network access 
permissions which unprivileged agent 17 does not have, in 
accordance with known techniques for configuring proxy 
servers . Typical authentication and encryption techniques are 
applied to communications between CAS 10 and unprivileged 
agent 17 and between unprivileged agent 17 and super agent 19 
to prevent unauthorized access to privileged information 
accessible by super agent 19. 

According to one embodiment of the invention, 
security computer 50 is adapted with a UNIX operating system 
and is ideally positioned in a highly secure location, such 
as a locked room having restricted access. The architecture 
of computer 50 is an automated Unix system management system, 
which monitors hosts connected by a network and reports 
proactively on system degradation and vulnerable 
configurations. CAS 10 resides on computer 50 and includes an 
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Expert System (ES) 23, a Dispatcher 25, a Configuration 
Manager (CM) 27, an Integration Module (IM) 29, and one or 
more supporting databases 31. Supporting databases 31 include 
PERL library 32, custom data 33 and policy data 34. Both CAS 
5 10 and software agent set are implemented in the JAVA 
programming language. It should be appreciated that, although 
the present invention is implemented in the JAVA language in 
a preferred embodiment, the claims of the invention are not 
so limited, in that the invention could be readily implemented 
10 in other languages by one having ordinary skill in the art. 

ES 23 comprises a plurality of reasoning modules 
which implement rules upon which diagnoses are based. In 
addition, ES 23 contains status and configuration data about 
networked UNIX nodes in order to diagnose vulnerable systems . 
15 The software agents 16 provide data about different hosts 15 
and accounts. The ES 23 may ask the agents 16 for information 
about each host 15 or account- The Perl Library 22 contains 
a collection of methods that can be dynamically downloaded to 
the software agent. This allows the rules in the ES 2 3 to be 
2 0 reused, as it may have rules and understand the class or type 
of object, as well as the methods used to obtain infonnation 
from the objects. It can know how some values returned from 
these queries indicate particular symptoms of system problems . 
Based on this information, the ES 23 may decide to query more 
25 information, initiate a vulnerability in the datcQDase, or take 
corrective action. 

The Dispatcher 25 functions as a message switchboard 
between the ES 23 and software agents 16. The CM 22 provides 
basic configuration information about the network and hosts 
30 15. The Custom Database 33 contains class instances of the 
network (users, hosts, directories, and vulnerabilities) . The 
Policy database 34 is discussed infra. 

The IM 29 is the mechanism by which the ES 2 3 and 
the software agents 16 access system and network information. 
35 It also is the interface for the system to other security 
applications. The outputs of various security tools are 
instantiated into common objects via the IM 29. 



wo 00/70463 PCT/USOO/12724 

- 9 - 

The software architecture described above was 
developed based on the premise that the degree of protection 
from information warfare attacks is highly dependent on the 
amount of time and effort invested in building and maintaining 
system security defenses . The solution offered by the present 
invention is to off load the work and tasks of network 
management to software agents. Each agent 16 operates 
independently, but they all cooperate in monitoring the 
system. Collectively, the software agents 16 achieve the 
overall goal of system monitoring and intrusion detection. 
This approach provides significant advantages in terms of 
scalability, flexibility, and efficiency. 

The software agents 16 are TCP-based server programs 
started up by the root user. Written entirely in Perl 5 and 
less than 50KB in size, the software agents 16 are designed 
to have minimal effect on host performance. The agent code 
does not reside on any network disk. This prevents an intruder 
from modifying the agent code to affect agent behavior. 

The software agents 16 are dynamically extensible 
because methods and instructions can be downloaded to them 
from the CAS 10. Because the software agents 16 do not contain 
a collection of security checks and information-gathering 
modules embedded in them, this greatly helps reduce the amount 
of space the agents occupy in memory. The agent's actions are 
not scripted; the CAS 10 can dynamically choose which actions 
to invoke, and in what sequence, in response to the state of 
its external environment. 

The CAS 10 communicates to the unprivileged agent 
17 by sending it a method and the reference to ah object to 
which the method is to be applied. The object is referenced 
by the object type, followed by the name of that object. For 
example, to reference the route account on machine tango, the 
object reference would be account/tango/root. Basic uploadable 
methods include: 

scandal l^atches - given a reference to a host 

object, an agent will scan for the correct installation of 
security patches for a particular operating system. This is 
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accomplished by taking the MD5 signature of every file 
associated with a particular patch and con5)aring it to the 
signature of the file currently on the system. Operating 
systems that are currently supported include SimOS 4.1-3, Sun 
OS 4.1.3 Ul, Solaris 5.2, Solaris 5-3, Solaris 5.4, and 
Solaris 5.5.1. The patch information is updated regularly by 
the CAS via ftp.uu.net (the official distribution for SUN 
security patches) . 

scan_trojan_directories - given a reference to 

particular directory or user search path, the agent will scan 
for trojan horse vulnerability. This is accomplished by 
recursing through every file and directory to determine which 
files are group or word writable. The method can also handle 
soft and hard links . 

read_all_data - this is a generic method that allows 

an agent to read instantiated vulnerabilities from the custom 
database. This will basically allow different security 
applications to communicate to the agents. The Integration 
Module takes the input for ciny arbitrary number of security 
applications and instantiates vulnerabilities into the common 
00 database as shown in Figure 2. 

An IDS can generate vectors and the IM can 
instantiate vulnerabilities into the common OO database. A 
security agent reads the database to gather security 
information. Other information reporting methods include: 

report_all_vulnerabilities -list all vulnerabilities 

on a particular machine 

dump^root^vulnerabilities - list all root 

vulnerabilities on a particular machine 

oJbject_couj3t - the number of objects the agents 

knows about from the custom database 

The count of the number of vulnerability instances 
is a primitive measure for system administrators to show 
progress in securing their networks. The present invention as 
described infra provides a closer examination of each 
vulnerability listed to clearly indicate what steps are 
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necessary to reduce the number of instantiated vulneraibility 
objects • 

The interface between the privileged agent and non- 
privileged agent must be secure- An intruder who has access 
5 to the interface cannot ask the system to weaken the system 
security. The interface is designed to be as simple as 
possible, as complex systems are harder to secure - 

Consider an example where the CAS asks the 
unprivileged agent on a host to gather some information. The 

10 unprivileged agent wants to examine the security of a file, 
and does not have permission to do so. It asks the privileged 
agent to get the information, and pass the results back to the 
non-privileged agent. This dialogue is shown in Figure 3. 

The format of each request is a packet containing 

15 the following four fields: type/ length, data, and signature. 
The type field identifies the type of packet, the type of 
signatures used, and the format of the packet. Some packets 
could contain binary information, others ASCII. The length 
indicates the amount of data (and/or the length of the 

20 signature field) . The data is the command issued. It is always 
encrypted using DES-ECB. The signature can vary with packet 
type (some types may not have a signature field) . One of the 
common signatures will be the MD5 hash of the data, encrypted 
using the secret key shared between the two systems. In this 

25 manner, the integrity of the command, and authentication, can 
be confiimed before the command is executed. 

For each communication session between either the 
CAS and the unprivileged agent or between the unprivileged 
agent and the super agent, there are authentication mechanisms 

30. and an exchange of keys. This security protocol is shown in 
Figure 4 . 

There is a secret master key and secret master TCP 
port that the two entities use to establish a secure 
communications channel. The shared key and port is known only 
35 between the entity pair. The master key and a master TCP port 
are used to establish a session key and session port. At each 
intermediate step, a random challenge is issued to 
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authenticate the sender and to prevent message replay. Once 
the secure cotnmunication channel is established, the two 
entities can continue to communicate, and no additional 
handshaking is necessary. Table 1 below shows the contents of 
the payload, the encryption key used, and the TCP port used 
at each step of the protocol. 

Table 1. Payload, Key, and Port for Protocol 



Stage 



Payload 



Encryption Key 



TCP Port 



10 



Request for 
Conversation 



Master 



Master 



Random 
Challenge 



Master 



Master 



15 



Random 

Challenge and 
Session Key 



Master 



Master 



Random 

Challenge and 
Session Port 



Session 



Master 



20 



Random 

Challenge and 

Information 

Request 



Session 



Session 



25 



Random 

Challenge and 
Information 



Session 



Session 



The privileged agent has a database and caching 
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mechanism that identifies the list of commands, and the 
security requirements necessary for each command. For 
instance, any system might be sible to see if the privileged 
agent is running, and obtain the revision of the agent . Or the 
5 agent may refuse to acknowledge an outside query- The choice 
is up to the agent, and the person who installed the agent. 

It is unlikely that a complete list of security 
problems exists. New ones are always being reported. The 
architecture is not intended to be a list of unrelated 

10 problems, but an organization based- on -operating system, 
release level, and policies. The goal is to have an integrated 
knowledge base, so that an intelligent system can react to 
exploitation problems without disabling the entire network. 
The Security Policy Database (SPD) provides a structured, 

15 qucuitif iable way to record information about systems and their 
flaws as they are discovered. 

There is a direct relationship between the object 
classes and the information in the database. This object model 
allows evolution and code reusability, allowing modification 

2 0 of classes with minimum impact. Five kinds of items in the SPD 
are as follows : 

Objects: Objects are resources and actors on a 

computer system. They may be such concrete or abstract things 
as files, peripherals, network ports, and users. Objects are 
25 represented by a list of labeled data values. 

Systems z Systems are the active software systems 

providing services oh a network. Examples of systems are the 
kernel, mail and Web servers, and the file system. 

Abilities z Abilities are the actual services 

30 available from systems that act upon or at the request of 
objects. Abilities are represented by a set of preconditions 
indicating states of objects necessary to use the ability, and 
a set of post- conditions indicating changes to the objects 
from the use of the ability. Abilities may be intentional, 

35 such as the ability for the owner of a file to modify it. They 
may also be unintentional, such as the ability of network user 
to gain root access from certain versions of the mail system. 
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Policy: Policy describes what is allowed and 
disallowed (e.g., world readable files, no passwords in the 
clear over the wire, authenticating based on IP address. File 
Sharing, unauthenticated mail, set-uid files on home 
5 directories, finger, in a search path, etc.) • The policy 

has impact levels. That is, each policy should indicate the 
importance of the policy. A sin^jle rating system may include 
states: (Allow, Should, Should Not, Disallowed, Unknown). A 
policy may start out as "Unknown/Don't Care", then change to 
10 "Should Not", and later change to "Disallowed" based on 
conditions. Other schemes may also be appropriate- One option 
is to have a variable policy, with a range of values, ensuring 
genetic variability in systems. 

Regions I Regions represent the organization of 

15 processes, corresponding to a chain of command. A relationship 
between bosses and workers is defined by this object class, 
and its relation to other objects of the same class. One model 
may be simple: Each region has one boss, and each regional 
boss may have several sub regions reporting to it. Other 

20 models may include two levels of command for each region, or 
shared authority. Regions group systems, and may be 
geographical, or authoritative. 

Figure 5 is an instance of a typical security object 
model. Just as a virus uses host cells to reproduce, an 

25 attacker enters the network and can choose from a variety of 
vulnerabilities to take control of the network. In Figure 5, 
an attacker decrypts the password of User 2 on Host 1. The. 
cost to the attacker is (10,0,0,0) which is a vector of the 
form: (password decryption, NFS spoofing, host spoofing, 

30 application fault) . From that point, an attacker may illegally 
modify File System 1 on Host 1 with a cost of (0, 10, 0, 5), 
or decrypt the password for User 1 on Host 1 with a cost of 
(10, 0, 0, 0) . Host 3 in Figure 5 is an example of host 
spoofing in which the attacker can use File System 1 on Host 

35 1 in order to change the identity of a host. From the graph 
shown in Figure 5, it should be understood that the network 
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is as vulnerable as the weakest path. 

The preceding description is intended to set the 
background, by way of example, for a representative object 
model, software architecture, software agents and secure 
communications protocol that may be used in conjunction with 
the present invention. It should be understood, however, that 
other models, architectures, types of software agents and 
communication protocols may be used, and thus the preceding 
description is not necessary to enable one having ordinary 
skill in the art to make and use the invention, which is 
described here below. 

In the description that follows, the method and 
apparatus of the invention will be referred to as the "tool" 
for convenience. The tool is a Java-based network 
vulnerability and analysis tool. 

Figure 6 displays 2000 vulnerabilities found on a 
few nodes of a network that were thought to be reasonably 
secure. Vulnerabilities are displayed in Figure 6 by host and 
type. The number along each edge of the graph represents the 
number of opportunities available to the attacker to reach the 
next vulnerability. Using this information, the tool has 
several algorithms for determining the vulnerability, V. 

In a preferred embodiment, the tool uses two 
fundamental techniques for determining vulnerability to 
attack. Both techniques are based on determining "insecurity 
flow." The tool can display the results at various levels of 
detail, including the individual host level, vulnerability 
types, host types, or individual vulnerabilities. 

The tool can automatically generate a directed graph 
representing the security vulnerabilities of a network. This 
information is gathered from the network security software 
agents described above. The security vulnerability graph for 
a typical network can be extremely dense; however, the object- 
oriented nature of the security model described above is 
useful in choosing the level of abstraction required. For 
example, it may be possible to display the vulnerability graph 
for Unix hosts in general and hide the details of individual 
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Unix variants. The tool determines the degree to which 
specified targets within the network can be compromised- The 
vulnerability chain is displayed as a directed graph. Nodes 
represent vulnerabilities whose security may be compromised 
5 and edges represent paths from one vulnerability to another. 
The larger the value of the edge label, the greater the 
vulnersd^ility . Figure 7 shows an example vulneraibility graph 
generated by the tool. 

One of the security assessment operations the tool 
10 can perform is to determine, the vulnerability of a particular 
entity given an attack on a particular node. The target entity 
Host C Vulnerability 4 is identified by a white cross-hair in 
Figure 8 and the attacking node is labeled Attacker with the 
flow identified by the label of its connecting path. The 
15 optimal vulnercJoility path is the sum of flows into node Host 
C Vulnerability 4 as shown in Figure 8, a flow strength of 
6.0. 

In Figure 8, the optimal path that the attacker can 
take to reach the target is shown. Thus the tool provides the 

20 ability to examine how the placement of security safeguards 
such as intrusion detectors within the network affect total 
network security. In effect, this tool becomes a security 
modeling tool, where one can experiment with the placement of 
security safeguards representing such entities as firewalls, 

25 intrusion detectors, and access lists. These can be positioned 
at various locations in order to determine network security. 

The tool allows various types of node groupings in 
order to help visualize the vulnerability paths. In Figure 9, 
all object types are grouped together. The nodes could also 

30 be grouped by such characteristics as hostname or subnetwork. 
In Figure 10, the vulnerabilities which have been identified 
and grouped as vectors to vulnerability targets have been 
es^anded to show more detail about the individual 
vulnerabilities. In Figure 11, all 4 0 parent objects of 

35 sun4/bin are grouped within a single node. Also note that the 
root account is clearly visible as reachable through the 
vulnerability path. 
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It becomes clear that defensive security safeguards 
cannot be studied independently of offensive information 
warfare. Thus, a tool that can accurately study both is 
desirable. Initially, perfect information is assumed to be 
5 available to both the attacker and defender. Later, the 
effects of the more realistic case of imperfect information 
is considered, since neither the attacker nor the defender can 
have complete knowledge of one another's state. 

The attacker can use one or more combinations of the 
10 following types of attack. An attack consists of a string of 
one or more of the following classes: 

interruption - Interruption is the termination of 
a service required by the network. Purposely overwhelming an 
application so that it cannot service other users is an 
15 exanple of • interruption. 

interception - Interception is obtaining information 

from the network useful for an attack. An example of 
interception is obtaining information from the network useful 
for an attack. 

20 modification - Modification is a change of 

information in the network which weakens network security. 
Planting a virus is an example of modification. 

fabrication - Fabrication is the construction of 
data for the purpose of weakening network security. This could 

25 include guessing passwords or building and sending invalid 
protocol data units. - * 

Barriers exist to these forms of attack besides 
firewalls as shown in Table 2. Note that these defenses are 
effective independent of time. The simplified attack cost 

30 vector is shown in Equation (1) . In this analysis 
vulnerability is quantified in units of time. For example, 
fabricating a password on a particular node will cost an 
attacker the amount of time which depends on the rate that new 
passwords can be generated, the number of accounts on the 

35 target node, and how well the passwords have been chosen. 
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10 Using the tool and analysis methods of the present 

invention, a network security analyst can allocate security 
safe-guards in order to minimize the entire network 
vulnerability, or to minimize the vulnerability from known 
attack points to particular targets . 

15 As an attack takes place, the defender can use the 

tool to study the effectiveness of various strategies using 
actual network vulnerabilities, but within the safety of a 
simulation environment. The analysis tool can be used to 
determine the optimal location of services to be cut • The 
^ 20 effect of concentrating on reducing specific vulnerability 
classes will be the focus, rather than cutting-off access to 
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entire network hosts that have been compromised. Also, by 
studying the past history of an attack, it will become 
apparent which vulneraJaility classes a particular attacker 
prefers to exploit . 
5 From a fundamental network vulnerability flow 

viewpoint, the strategy of allocating safe-guards in 
combinations of serial and parallel strategies can be 
examined. Figure 12 shows Network Insecurity Path Assessment 
Tool analyzing an attack from host A to host B. In this case, 

10 the number of opportunities have been normalized into 
probabilities. Figure 13 shows the results as security safe- 
guards are removed. The solid line is the vulnerability of a 
single connection from the attacker to the defender having the 
same vulnerability flow as the links shown in Figure 12. Below 

15 a probability of 0.6 the diversity of vulnerability types 
helps to increase security, but interestingly, above 0.6 it 
does not . 

Once an attack has been detected, the network 
command and control center can respond to the attack by 

20 repositioning security safe -guards and by modifying services 
used by the attacker. However, cutting-off services to the 
attacker also impacts legitimate network users and a careful 
balance must be maintained between minimizing the threat from 
the attack and maximizing services to customers. For example, 

25 various stages of an attack are shown in Figure 14. Since the 
allocation of security resources never changes throughout the 
attack, the vulnerability of the target increases 
significantly with each step of the attack. 

Because vulnerabilities change over time, the 

30 network monitoring tool described quantifies the vulnerability 

of a system in terms of percent of patches which fail to have 

the correct signature (pf) , percent of files which are 
» 

accessible to others besides the owner (p,.) , and percent of 
passwords which can be guessed with a given password 
35 generation tool (p,) . Clearly, vulnerability checks such as 
these increase the security of the network. The effectiveness 
of a network monitoring strategy is quantified by both the 
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type of information gathered and the frequency that the 
information is updated. If the information is not updated 
frequently enough, an attacker may have penetrated network 
security and left before network security is aware of the 
5 situation. 

In this analysis, a path with perfect security has 
a cfi(Pi) 00 , and a path with no security has a cfiCpJ 

0. The vulneraibility of a path is defined as the inverse of 
the cfi(pi). An estimate of the effectiveness of the 

10 monitoring system is based on. a profile of network security 
attacks on the Internet and the following parameters: time to 
monitor patches, Trojan horses, passwords, and any other 
vulnerabilities (t,) , the attack rate is Poisson and the 
attack duration is exponential with average a^., and monitoring 

15 is performed every seconds. The average attack rate, based 
on Internet incident reports from an anonymous site for a six 
year period, is five attacks per month- Also, the Defense 
Information Systems Agency has determined by experimental 
means that only 0.7% of incidents are actually reported. Thus 

20 the probability of detecting an attack while the attack is 
taking place along path i is shown in Equation (2) , and the 
results are graphed in Figure 15 with a^ = 5/(0.007) (30) (24), 
the y-axis is P [detect], and the x-axis is X„. + t,. 

/}.[detectl=l-e"'if^ (2) 



25 Thus, for each path in the network security 

vulnerability chain, the cost to the attacker is the 
probability of being detected multiplied by the cost function 
that the additional monitoring provides. Thus the total cost 
function is shown in Equation (3) . 



30 



wo 00/70463 



- 21 - 



PCT/USOO/12724 



Figure 16 shows the increase in probability of 
detection as an intruder passes through multiple systems where 
each system has its own independent detection system. 

The tool has served as experimental validation of 
a variety of techniques to analyze a commiinications network 
for vulnerabilities. It can be taken a step farther, however, 
by adding the capability of automatically determining the 
placement of security safeguards based on predetermined cost 
limitations ... 

Let S be the placement of security safeguards (e.g., 

encryption, firewall, authentication), and V be the 
vulnerability- Let C be the cost of the safeguards, and L be 
some threshold to the acceptable cost. The Object Function (4) 
sets up the optimization problem: 

min V(S) (4) 
subject to C(S) < L. 

Network security tends to hamper the effectiveness 
of the network to legitimate users. Taking this into account, 
let CS represent the network service to legitimate users of 
the network, with a minimum accepted quality, Q, and V'(A) be 
the vulnerability of the network to a particular attacker, A. 
The Object Function (5) sets up the optimization problem: 

min V(S,A) 

subject to CS > Q (5) 
C(S) < L. 

The tool is written in Sun Java with JDK 1.2. 
Secanal is the main Java application. The use of the tool will 
now be explained in detail - 

Enter "java Secanal" to begin the application. A 
large button should appear as shown in Figure 17. The complete 
command line arguments are "java Secanal [-b filename) t-f 
filename] [-s nodenumber] [-1 layout]". The -b option loads an 
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IW file explained infra, the -f. option loads a GML file 
explained infra, the -s option begins the applications with 
a given node already selected, and the -1 option is the label 
of a menu item to be executed upon start-up. 

Click on Start Security Analysis to bring up the 
screen shown in Figure 18. Note that at any time nodes and 
edges can be added, deleted, or modified in a vulnerability 
graph in order to test "what if" scenarios. The toggle 
switches in the upper left allow Nodes and Edges to be created 
or selected. Clicking on the graph in the mode shown in Figure 
18 will create a new Node. 

The graph area is three-dimensional; the view angle 
can be changed by clicking within the viewing angle area in 
the lower left of the screen. An "x" will be placed in the 
view area indicating the corresponding angle of 6 and (p. In 
addition the scale can be changed. The viewing offset is 
required because the graph area is larger than what is 
displayed within the window. Click on File from the menu along 
the top of the screen. The window shown in Figure 19 will 
appear. Open the gmi directory and open example. gml. GML is 
a standard notation for representing graphs and can be read 
by other graph applications such as graphlet {http://www.uni- 
passau.de/graphlet/) . 

Select example. gml and the example graph should be 
loaded as shown in Figure 20. The nodes represent 
vulnerability classes, the edges represent the number of 
opportunities to advance from one vulnerability class to 
another . 

There are two main algorithms that can be run; the 
first is a probabilistic analysis and the second is a maximum 
flow analysis. First, the probabilistic analysis will be 
discussed. Select a node to be the target of the attacked by 
clicking on the Select Nodes toggle button. Then select a node 
(e.g., hosts C Vuln 4) . A white cross hair should appear over 
the node to indicate it has been selected. Choose Algorithms; 
choose Security Analysis Models and finally choose 
probabilistic analysis. A text window shown in Figure 21 
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should appear which states the probability of successful 
attack followed by the result graph shown in Figure 22 . The 
result graph shows the most probable path of attack 
highlighted. The edge values are normalized between 0 and 1 
5 to represent the probability of an attacker choosing that 
path. 

The analysis can also be run using the maximal flow 
algorithm as follows: Choose File and Open GML, Then choose 
the gml directory and choose the example. gml file. The graph 

10 window should appear as shown in Figure 20.. Select Hosts C 
Vuln 4 again and choose Algorithms Security Analysis Models 
and Max Flow Analysis. The text window shown in Figure 23 
should appear as well as the graph results shown in Figure 24 . 
The edge values have been changed to show the moiximum flow 

15 along each edge towards a target node. In this case there is 
a flow of 1.0 and a flow of 5.0 which can reach the target 
node. Now choose File and Exit This Window in order to close 
the window in Figure 24. The original window should still be 
open. 

20 One method of adding security may be to partition 

the vulnerabilities so that paths do not exist across the 
vulnerability chain. One method to determine how to partition 
the chain is to determine the articulation points. These are 
single nodes which if removed from the graph will partition 

25 the graph into multiple disconnected subgraphs. In order for 
this to work the graph must be undirected. Choose Properties 
and Directed. This will toggle the graph in undirected mode; 
the arrows will disappear from all the edges. Next choose 
algorithms and Biconnectivities and choose Find Articulation 

30 Points. A window as shown in Figure 25 will appear. In order 
to identify the node number on the graph, select a node and 
the node number and position will appear along the top of the 
main window. 

The tool is also capable of executing other commands 
35 and controls such as automated node layout, importing .and 
exporting vulnerability graphs, filtering, grouping, and 
automatically adding an attack node. 
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The options labeled Tree and Spring under Algorithms 
are different methods for displaying the graph node positions. 
For example, select a node to be the root of the tree and then 
select Tree and Tree Down. Figure 26 shows the result of 
5 selecting the attacker as the root in choosing Tree Down. The 
Spring button attempts to layout the nodes such that edges 
modeled as springs and the nodes are positioned such that the 
energy between the springs is minimized. 

An optional argument to Secanal is -b 
10 filename. filename is the complete path and file in which data 
collected from the IW agents are collected. The file format 
is similar to the following: 

Start up server on port 1661 
Server listening on port 0 using f ileno 5 
15 Server.pl: Boss send us message of: read_all_data 

host/HostA 
IW . pi : handle_request 
read relationship Relationships 
read os PERM .Solaris .2 .5 . l-SunOS/5 . 5 . 1 
20 Found OS SunOS/ 5.5-1 

IW . pi . handle^recpiest : exit 

Server.pl: Boss send us message of: report_all_f iles 
host/HostA 
IW.pl :handle_request 
25 ID: Vulnerability/ */991 

NAME :Vulnerability/hostb/14 

data [count] =0 * , 

data [name] =Vulnerability/hostb/14 
data [ type ] =Tro j an 
30 data [vector] =:Directory=HASH ( Ox51ca54) 

data [victim] =Account=HASH (0x460f c8) 
data [attaclcer] =:Account=HASH (Ox46de24) 
Reference (Account) = ( account /hostb/ root) 



When importing vulnerabilities, there can exist many 
35 thousands of fundamental vulnerabilities which can overwhelm 
this tool and the user if they are displayed individually. 
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However, vulnerabilities can be grouped based on Host, Id, 
Type, and a combination of Host and Type. This means that only 
one vulnerability will appear for each host, vulnercQDility 
identifier, vulnersdDility type, or a combination of host and 
5 type. Choose Algorithms and Filter Nodes and then one of the 
above filter types. Once this has been done, the tool will 
remember that filter and apply it each time vulnerability data 
is imported. To import vulnerability data, choose Algorithms 
aind Import and Update Security Model. Note that imported 
10 vulnerability data updates the graph. For exatiqple, if a 
vulnerability graph is already displayed on the screen then 
importing vulnerability data will add the data to the graph. 

There are two methods for exporting vulnerability 
graph data. The first is to save the graph in a GML file. This 
15 can be done choosing File and Save As GML. The second export 
format is a format readable by Matheraatica. Choose Algorithms 
and Export Data and Convert to Mma. The data will be saved in 
a directory named mma assumed to exist under the current 
directory in which Secanal resides. The files are Ad j .mma 
20 (Adjacency Matrix), Arc. mma (Edge Index Matrix), Cons. mma 
(Constraint Matrix) , Flow Adj .mma (Adjacency Matrix with Flow 
values), and Inc-mma (Incidence Matrix). In addition to the 
above files, Adj .mo and FlowAdj .mo are generated in the mma 
directory. These files contain the data only arranged in row- 
25 column format . 

Vulnerability nodes can be grouped together in a 
single node as follows. Choose Algorithms and Group Nodes and 
then choose one of Host, Id., Type, Host and Type, or common 
Child. In Figure 27, a vulnerability graph is shown before 
30 nodes have been grouped. After choosing Group aind Host, the 
graph in Figure 28 is created. Choosing Edit and Group 
Control -seeNode brings up the menu shown in Figure 29 which 
can be used to create or remove selected groups . 

In order to facilitate adding an attack node, select 
35 the node to which the attacker should be adjacent and then 
choose Algorithms and Security Analysis Models and Add Attack 
Point. An attack node will be automatically created and 
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attached directly to the selected node. Note that the 
attacking node must be labeled "Attacker" in order to be 
recognized as the attacker in the algorithms. 

The tool is also capable of manually editing 
5 vulnerability graphs in order to analyze "what if" scenarios. 

As an example, load the exan^le gml graph as 
explained supra. Choose the Select Nodes button. The goal of 
this example will be to move the attack node from Host A 
Vulnerability 1 to Host B Vulnerability 2. This will 
10 demonstrate how to delete and create nodes and create and 
modify edges. Select the Attack and then choose Edit and 
Delete Selected Items. Both the Attack node and its adjacent 
edge will be removed. Select Create Nodes. Click on the graph 
near Host B vulnerability 2 . This will create a new node as 
15 shown in Figure 30. 

Choose Select Nodes and double -click on the new 
node. The window shown in Figure 31 should appear. Enter 
Attacker for the label then choose apply. The label should be 
changed from a node number to "Attacker." 
20 Next choose Create Edges and select the Attacker 

node. The new edge should follow the cursor as it moves. 
Select Host B Vulnerability 2. An arrow should appear 
connecting the two nodes and directed from the Attacker to the 
vulnerability node. Choose Select Edges and double -click on 
25 the new edge. The window shown in Figure 32 should appear. 
Enter a value for the label and choose Accept. The graph 
should appear as shown in Figure 33- . 

Select Host C Vuln 4 and run the probabilistic 
analysis. The textural result is shown in Figure 34 and the 
30 graphical result is shown in Figure 35. Notice that the 
probability of successful attack is 0.226 in this analysis and 
0.729 in the previous case. This should be expected since the 
path of most probable attack is longer in this analysis. 

The present invention is capable of displaying the 
35 results of the vulnerability analysis in a number of ways. As 
seen above, the results can be displayed either graphically 
or texturally. In addition to the 2 -dimensional graphical 
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analysis, the invention provides a 3 -dimensional topological 
display of the vulnerabilities in the network. This technique 
allows easy identification of the security wealcnesses within 
the network by displaying a clear 3 -dimensional view of 
5 mountain peaks cuid valleys super- imposed upon the network node 
layout. The node layout can be grouped by physical location 
or by type. The invention then allows one to examine the 
intact upon the entire network of the location of various 
security safeguards within the network, thus facilitating a 
10 security cost-benefit analysis. and optimizing the placement 
of security safeguards. Because it is difficult to know from 
where an attack will take place, the flow from every node to 
every other node is calculated. A contour is drawn based on 
the accumulated vulnerability and the distance from each node . 
15 An exan5)le contour is shown in Figure 36. The contour shows 
the rate of change of vulnerability as one moves through the 
network. The resulting topological map or an alternative 
density plot graph provides quick visual information 
indicating where vulnerabilities lie. This topological display 
2 0 aspect of the invention was written and implemented in 
Mathema tica. 

The overall vulnerability of network is represented 
by a directed graph of all vulnerability chains or paths that 
an attacker could use to invade the network. The present 

25 invention allows easy identification of the security 
weaknesses of the entire network to specific threats by 
identifying the path of least resistance to the attacker •s 
target . The invention then allows one to examine the impact 
of locating various security safeguards within the network, 

30 thus facilitating a security cost-benefit analysis and 
optimizing the placement of security safeguards. Finally, one 
embodiment of the present invention displays the results of 
the analysis in both a 2 -dimensional and 3 -dimensional 
(topological) display. 

35 While only certain preferred features of the 

invention have been illustrated and described, many- 
modifications and changes will occur to those skilled in the 
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art. It is, therefore, to be understood that the appended 
claims are intended to cover all such modifications and 
changes as fall within the true spirit of the invention. 
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We Claim: 

1. A method of analyzing multiple computer network 
vulnerabilities, comprising: 

gathering vulnerability data from one or more hosts 
5 within the network; and 

generating a directed graph from the gathered 
vulnerability data where nodes in the directed graph represent 
vulnerabilities within the network, and paths between nodes 
are defined as edges, and the edges represent probability 
0 values associated with moving from one vulnerability to 
another . 

2. The method of claim 1, wherein all edges between the 
same two nodes are normalized into a single probability value. 

3. The method of claim 2 further comprising: 
multiplying probabilities of paths in series from 

a source node to a destination node; 

adding probabilities of paths in parallel from the 
source node to the destination node; and 

determining from the multiplication and addition the 
probabilities of all routes from the source node to the 
destination node. ' 

4 . The method of claim 3 , wherein a most probable route 
between the source node and the destination node represents 
a most vulnerable attack path. ...... 

5. The method of claim 2, further comprising: 
using an optimization technique to determine maximum 

insecurity flow from a source node to a destination node, 
wherein the optimization technique maximizes flow from the 
source node while conserving flow through intermediate edges 
of the graph. 

6. The method of claim 2, further comprising: 
finding a minimum number of nodes that can be 
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deleted from the graph resulting in a partitioning of the 
graph into at least two isolated sections. 

7. The method of claim 2, further comprising: 

displaying the directed graph. 

5 8. The method of claim 7, wherein the display comprises 

a two-dimensional graph displayed on a monitor. 

9. The method of claim 7 wherein the display comprises 
textural information displayed on a monitor. 

10. The method of claim 2 further comprising: 

10 multiplying probabilities of paths in series from 

each node in the network to every other node in the network; 

adding probabilities of paths in parallel from each 
node in the network to every other node in the network; and 
determining from the multiplication and addition 
15 steps the probabilities of all routes from each node in the 
network to every other node in the network. 

11. The method of claim 10, further comprising: 
generating a topological display of the directed 

graph . 

20 12. The method of claim 2, further comprising: 

using an optimization technique to determine maximum 
insecurity flow from each node in the network to every other 
node in the network, wherein the optimization technique 
maximizes flow from each node while conserving flow through 

25 intermediate edges of the graph. 

13. The method of claim 1, further comprising: 

determining a placement of security safeguards based 
on predetermined cost limitations . 



14. 



The method of claim 13, further comprising: 
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determining the placement of security safeguards 
based on a minimum accepted quality of network service to 
legitimate users of the network. 

15- A system for analyzing multiple computer network 

5 vulnerabilities, comprising: 

a processor that includes coTt5>uter- executable 
instructions for gathering vulnerability data from one or more 
hosts within the network; and generating a directed graph from 
the gathered vulnerability data; wherein nodes in the directed 
10 graph represent vulnerabilities within the network, and paths 
between nodes are defined as edges; and wherein the edges 
represent probability values associated with moving from one 
vulnerability to another- 

16. The system of claim 15, wherein the processor 
15 further includes computer -executable instructions for 

multiplying probabilities of paths in series from a 'source 
node to a destination node; adding probabilities of paths in 
parallel from the source node to the destination node; and 
determining from the multiplication and addition the 
2 0 probabilities of all routes from the source node to the 
destination node. 

17. The system of claim 15, further comprising: 
a monitor, for displaying .the directed graph 

18 . A computer readable storage medium, comprising 

25 coii5)uter-executable instructions for: 

gathering vulnerability data from one or more hosts 

within a computer network; and 

generating a directed graph from the gathered 

vulnercdDility data, wherein nodes in the directed graph 
30 represent vulnerabilities within the network, and paths 

between nodes are defined as edges, and wherein the edges 

represent probability values associated with moving from one 

vulnerability to another. 
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